Open 1cho1ce opened 1 year ago
Thanks for the PR. I will start reviewing this tomorrow and hopefully get the nftables support ready in June.
Sorry, I didn't check openvpn and forgot to add forward rules for it. Also changed nft to use custom chains.
@1cho1ce - I have been trying to use your forked version on Qubes 4.2 and after a lot of trying, I couldn't get it to work with Fedora templates, but eventually when I changed to a Debian 11 template it worked fine.
I do have one problem though, I was previously (on 4.1) using edited qubes-firewall-user-script & rc.local to allow local network access (192.168.150.0/24 in my case). I have copied & adjusted these as below but can't get any lan access now:
# from qubes-firewall-user-script
# Allow forwarding of connections through upstream network device
# if they're to 192.168.150.x
#iptables -I FORWARD -o eth0 -d 192.168.150.0/24 -j ACCEPT
#iptables -I FORWARD -i eth0 -s 192.168.150.0/24 -j ACCEPT
nft 'insert rule ip filter FORWARD oifname "eth0" ip daddr 192.168.150.0/24 counter accept'
nft 'insert rule ip filter FORWARD iifname "eth0" ip saddr 192.168.150.0/24 counter accept'
# from rc.local
# Allow access to home network for backup, etc.
ip route add 192.168.150.0/24 via 10.137.0.7 dev eth0
TBH - I'm not very familiar with nft & edited the iptables-I FORWARD rules above using iptables-translate. Has anyone got local access working on 4.2 with nft?
I have been trying to use your forked version on Qubes 4.2 and after a lot of trying, I couldn't get it to work with Fedora templates, but eventually when I changed to a Debian 11 template it worked fine.
I've fixed this issue with Fedora template.
I do have one problem though, I was previously (on 4.1) using edited qubes-firewall-user-script & rc.local to allow local network access (192.168.150.0/24 in my case). I have copied & adjusted these as below but can't get any lan access now:
You can replace these iptables rules:
iptables -I FORWARD -o eth0 -d 192.168.150.0/24 -j ACCEPT
iptables -I FORWARD -i eth0 -s 192.168.150.0/24 -j ACCEPT
With these nftables rules:
nft insert rule ip qubes custom-forward oifgroup 1 ip daddr 192.168.150.0/24 accept
nft insert rule ip qubes custom-forward iifgroup 1 ip saddr 192.168.150.0/24 accept
Is this pull request in good working order? Has it been deemed insufficient? I am just wondering what further needs to be done in order to create a working solution. I am not yet familiar with nftables rules, but I will research and see if I can help if something is missing.
Also would like to know if this PR works, I just need to be able to VPN with 4.2
This PR worked out of the box for me - many thanks. Not tested failure modes. Running on debian-12-minimal. @1cho1ce, like many others I am struggling with nft - would it be possible to add a paragraph to the Firewall Notes section to provide an example of port forwarding setup ? Thanks
[ed] My best guess that seems to be working - in a file in qubes-firewall.d:
PORTS="{ 1234, 1235 }"
nft add rule ip qubes dnat-dns iifgroup 9 tcp dport $PORTS dnat to 10.137.0.XX
and the same for udp. Anything else recommended?
There are a few errors in the PR with allowing traffic from VPN to qubes and typos related to IPv6. This was discussed here: https://forum.qubes-os.org/t/vpn-instructions-for-4-2/20738/78
You can apply the patch using this command:
~/Qubes-vpn-support$ git apply /path/to/patch
Additional notes: If no Qubes OS virtual IPv6 DNS servers are used then the IPv6 DNS from VPN provider won’t be used and qubes will use their own IPv6 DNS servers. I saw a pull request from 1choice to add virtual IPv6 DNS support to Qubes OS so I guess that was related to this change. If no DNS is provided by VPN server then requests to virtual DNS IPs will leak from qubes. I guess it's better to use some default DNS like 9.9.9.9 in case no DNS will be provided by VPN.
Qubes dropped iptables support and replaced it with nftables: https://github.com/QubesOS/qubes-core-agent-linux/commit/28b95535c7cbd15543c804e822c0e4c997f5966e This pull request replaces iptables with nftables.
Removed
allow established input
rules fromproxy-firewall-restrict
since they are already present in nft tables ip/ip6 qubes.TODO: Need to think of a better way to check in
--check-firewall
inqubes-vpn-setup
script if the forward drop rules are present (orproxy-firewall-restrict
script finished successfully).